Skip to content ↓ | Skip to navigation ↓

LinkedIn’s security teams have patched a security issue that could have allowed attackers to execute spear phishing campaigns and potentially assume remote control over victims’ accounts.

This move is the result of researchers from Kaspersky Lab having warned LinkedIn of the vulnerability back on November 14, 2014.

LinkedIn br code leak
Source: Kaspersky Lab – SecureList

In a blog post, Kaspersky Lab Senior Security Researcher Ido Naor explains how two malfunctions in the way LinkedIn processed and displayed user comments alerted him to the fact that something was wrong. The first had to do with different escape characters being displayed when posting from different devices, and the second involved a back-end parser issue in which the CRLF “Enter” keystroke was interpreted as a <br /> character and displayed as such in the comment’s text.

Further research led to the discovery of two separate email platforms used by LinkedIn to notify users of comments.

“Submitting comments with HTML tags from the web platform generated %3C as the less-than character, while the same input from a mobile device was encoded to &lt;,” explains Naor. “…Another interesting insight was that every comment to a post is sent via an email platform to all other users who were part of the thread. The differences in the body of that email confirmed our suspicions…. That proved that two different email platforms exist and that mobile notifications could help to deliver a malicious payload without any user-supplied input validations.”

As a result, if an attacker had sent a user malicious code in a comment via mobile device, whereas the application server could have escaped the dangerous characters, the email template would have been sent as intended in a notification message to the target.

In the worst case scenario, attackers could have exploited an email provider that failed to properly escape the content of the incoming email by executing a malicious JavaScript injection attack, otherwise known as a Stored XSS. They could have also phished for user information with fake HTML forms and redirected victims to malicious websites.

linkedin stored xss
Source: Kaspersky Lab – SecureList

To avoid these and other types of attack, Naor recommends that users maintain an updated Internet Security provider on their machines, exercise caution whenever opening an attachment, and decouple their corporate email accounts from their LinkedIn profiles.

To learn more about phishing attacks and you can avoid becoming a victim, please click here.